Hi all, 
I've searched through the archives and the internet but as of yet I have been 
unable to find a solution. One or two topics that refer to the problem but no 
solution as of yet. So if it has been posted before I do apologise.

I am running ubuntu 6.06 LAMP server and have installed squid 2.5 stable12 with 
winbind and samba 3.0.22 authenticating against AD. I am not sure which version 
of winbind I am using but it must be one of the latest stable releases 
available in the repositories. 

Authentication works fine without any problems, the problem I have is that when 
an user accesses a site we've blocked it prompts them for a username and 
password. As far as I know it is ntlm_auth because there is no prompt for 
domain just username and password.
The cache.log doesn't quite tell me anything nor do any of the other logs. I 
have a very busy syslog so I need to grep the info I need, but don't know what 
to search for. If I grep winbind I do get the following:

Sep 12 09:39:01 helsinki winbindd[4013]: [2007/09/12 09:39:01, 0] 
Sep 12 09:39:01 helsinki winbindd[4013]:   string_to_sid: Sid S-0-0 is not in a 
valid format.

I can use wbinfo to querry the domain for just about everything the trust 
succeeds, I can get the gids for a user. I can lookup domain users and domain 
groups. Wbinfo_group.pl when queried returns with OK as does ntlm_auth 

I googled it but it seems that samba used to in the past ignore these messages 
but now it forwards it through to syslog.
I do not really know what to look for in the logs for this problem permissions 
on winbindd_privileged are set (and I think correctly because otherwise it 
would just not authenticate) 
The users are still denied from accessing the website but it prompts them each 
time. And whenever they are on google's image website it creates massive 
complaints when there are some images referenced to a denied site and then the 
prompt just keeps appearing.

This probably shouldn't have any bearing on the problem, but I'll mention it 
anyway. I have also installed nagios 3.0b along with apache2.
Though I think they should work nicely together. 
Any help is greatly appreciated.

Here are my squid.conf details

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
#auth_param ntlm children 5
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param ntlm children 80
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 1
auth_param ntlm max_challenge_lifetime 5 minutes
auth_param ntlm use_ntlm_negotiate on

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 50
auth_param basic realm DAV-webcache proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

### exampl
#auth_param ntlm program /usr/local/bin/ntlm_auth 
#auth_param ntlm children 5
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 20 minutes

#auth_param basic program /usr/local/bin/ntlm_auth 
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours

## ACL for ADS user
#external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group
##external_acl_type NT_global_group children=10 ttl=900 %LOGIN 
external_acl_type NT_global_group children=30 ttl=2700 %LOGIN 
acl ProxyUsers external NT_global_group WebAccessAllowed
acl AuthorizedUsers proxy_auth REQUIRED
acl TrustedUsers proxy_auth REQUIRED
acl UnrestrictedUsers external NT_global_group WebAll
acl RestrictedUsers external NT_global_group WebMoreAccess
acl NewUsers external NT_global_group BlockedCareerSites

##Access control lists must be entered here
http_access deny blocked_sites_1 RestrictedUsers
http_access deny blocked_sites ProxyUsers
http_access deny blocked_career_sites NewUsers

http_access allow AuthorizedUsers ProxyUsers
http_access allow TrustedUsers RestrictedUsers
http_access allow UnrestrictedUsers
http_access allow NewUsers
#http_access allow dav_net

#miss_access allow all
#always_direct deny all
#never_direct allow all

# And finally deny all other access to this proxy
http_access deny all


Reply via email to